Thursday, May 26, 2016

Manually install OOMADS on domain controllers

There are already threads in the forum regarding that but they are kind of missleading. So I decided to write a blog post on that – after long time.

There are additional steps required if you install the SCOM agent on domain controllers manually. In case that you miss that you will see alerts in SCOM like that:

Script Based Test Failed to Complete

AD General Response : The script 'AD General Response' failed to create object 'McActiveDir.ActiveDirectory'. This is an unexpected error.

The error returned was 'ActiveX component can't create object' (0x1AD)

The Active Directory Management Pack Objects (OOMADs) components are not installed on the Domain Controller. These components are required for the monitoring scripts to run successfully. See Alert Knowledge for additional details.

These steps are:

  1. Copy oomads.msi from MS: "D:\Program Files\Microsoft System Center 2012 R2\Operations Manager\Server\AgentManagement\amd64\OOMADs.msi"
  2. Paste it on DC: "C:\Program Files\Microsoft Monitoring Agent\Agent\HelperObjects"
  3. Uninstall any existing “Active Directory Management Pack Helper Object” from Programs and Features
  4. Open an elevated CMD
  5. Run: "C:\Program Files\Microsoft Monitoring Agent\Agent\HelperObjects\OOMADs.msi"
  6. Once finished, check if file exists: "C:\Program Files\Common Files\Active Directory Management Pack Objects\oomads.dll"
  7. Stop agent
  8. Delete folder: "C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State"
  9. Start agent
  10. Check if events/alerts occur again

Cheers,
Patrick

Read Full Post...

Thursday, July 23, 2015

Notification Channel body contains more than 160 characters

When configuring a notification channel for text messages from within the Operations Console you quickly realize that the parameters exceed more than 160 characters and so you're not able to save that configuration. Below are the steps to work around that:
  1. Export the unsealed Notifications Internal Library MP.
  2. Open it with your Editor (e.g. Notepad++).
  3. Search for the name of the channel you configured in the console. There should be a display string entry starting with 'SMSEndpoint for' followed by the name of the channel.
  4. Copy the ElementID from the line above (starting with 'SmsEndpoint'.
  5. Search for the ElementID in the MP.
  6. Watch out for a line starting with 'WriteAction ID="Transport" TypeID="SmsEndpoint' followed by the ElementID.
  7. Find the Body tag two lines above.
  8. Modify the line for your need.
  9. Save the XML.
  10. Import the XML into SCOM.
  11. Test it.
All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Saturday, April 4, 2015

UNIX/Linux Log File Monitor RegEx Sample

In SCOM you’ve the option to use Monitoring Templates to monitor log files for patterns you define.

In the ootb template you only have the option for one regex pattern. But what if you like to query for positive pattern and negatives as well?

Easy, as long as you understand how to build regular expressions.

In my sample I’m searching for the pattern ‘positive’ while the string should not match the pattern ‘negative’.

Here’s the regex you could use:
((?i:positive)(?!(.*negative)))

You can test the regex against a sample string directly from the wizard:

clip_image002

clip_image002[4]

Furthermore, you could search for multiple patterns. Here’s the regex you could use:
((?i:positive1|positive2)(?!(.*negative)))

Happy RegEx’ing!

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Thursday, February 19, 2015

Monitor SCSM 2012 SP1 or R2 with SCOM

Yesterday the question came up if it is a good way to push deploy SCOM agents to SCSM 2012 SP1 or R2 MS and DW role server. The short answer: no! (NO! NEVER! DON’T DO THAT!)

Why? Unfortunately it would be possible to push an agent on those systems. SCOM would determine that there is an existing agent in place and would upgrade it to the most recent version available on the SCOM MS. Monitoring, after that, would work as expected, but the SCSM workflows will collapse. (BTW: who came to the good idea to take parts of SCOM as SCSM base without changing services, processes, logs, …? That is pain in the … consultants/admins head)

The only right way is to install SCSM SP1 or R2 as required (maybe already done). After that you’ll find the “Microsoft Monitoring Agent” on those systems where you can configure your SCOM Management Group information.

If you’ve got SCOM security settings to “Review new manual agent installations in pending management view” you will see them immediately under Pending Management in the SCOM administrative pane. If you’ve checked the option “Automatically approve new manually installed agents” they will get monitored automatically.

The self-service portal is something different (BTW: did you know that we’ve developed an awesome self-service portal? And we will release a new major version these days! More here: http://www.syliance.com/marketplace/itsm-portal). More on SSP below.

Here is the official documentation on that (bad luck that they don’t updated the SCSM MP guide):

https://technet.microsoft.com/en-us/library/hh524312.aspx

System Center 2012 – Operations Manager

System Center 2012 – Operations Manager is supported by Service Manager and Service Manager SP1 for connectors and agents. However, only corresponding System Center versions are supported when you register a data source in the Data Warehouse workspace.

System Center 2012 – Operations Manager agents were not supported with System Center 2012 – Service Manager. However, the agent that is automatically installed by System Center 2012 – Service Manager SP1 is compatible with System Center 2012 – Operations Manager and System Center 2012 – Operations Manager SP1. After Service Manager Setup completes, you must manually configure the agent to communicate with the Operations Manager management server.

To validate that the Operations Manager Agent was installed, open Control Panel and verify that the Operations Manager Agent is present. To manually configure the Operations Manager agent, see Configuring Agents.

Operations Manager Agents with the Self-Service Portal and Service Manager console

If you want to monitor a server that will host Self-Service Portal components or the Service Manager console that does not already host other Service Manager roles, then you should deploy the Operations Manager agent to the server before you install the Self-Service portal or the Service Manager console. After you’ve installed either, you should give special consideration to removing the portal or Self Service console. If an Operations Manager agent is installed on the server that hosts the portal or console and you remove the either, then the Operations Manager agent is also removed.

If you have already installed the portal or console to a server that does not host other Service Manager roles, and you want to deploy an Operations Manager agent to it, then the agent deployment will fail. However, you can prevent agent deployment failure by using the following procedure to back up, remove, and restore the Service Manager product registry key.

To back up, remove, and restore the Service Manager product registry key
  1. Export the Service Manager key from HKEY_CLASSES_ROOT\Installer\Products\<ServiceManagerGUID>. You can find the key by searching at the Products node for Data equal to Service Manager.

  2. Delete the registry key.

  3. Deploy the Operations Manager agent to the server.

  4. Import the key you exported from step 2.

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Thursday, February 12, 2015

What happens when the state changes?

The question came up in relation to a new to develop custom connector.

I’ve been asked what happens when the state of an object/alert changes from warning to critical (or the other way around), more specifically, will the same alert be updated or will the warning alert disappear (closed, deleted, whatever…) and a new critical one raised?

To show that I created an override for the “Windows Server 2012 Logical Disk Free Space (MB) Low” monitor so that it is enabled, generates an alert for either warning and critical state and I configured testing thresholds. Further, I decreased the interval to 60sec for testing.

After that I created a dummy file that is big enough to reach the warning but small enough to not reach the critical threshold using the following command:
fsutil file createnew $env:temp\dummy.bin (40gb)

After 60sec the following warning alert has been created:

image

I collected the interesting (warning) alert information using Get-SCOMAlert, see table below.

After that I deleted the dummy file:
del $env:temp\dummy.bin

And I created a new file that reaches the critical threshold:
fsutil file createnew $env:temp\dummy.bin (45gb)

Again, within 60sec a critical alert has been raised:

image

I collected the interesting (critical) alert information using Get-SCOMAlert, see table below.

Again, I deleted the dummy file to clean up:
del $env:temp\dummy.bin

And removed all the overrides I created initially.

Here are the alert details that have been kept behind the scenes:

Warning Alert Details:

Id : cdb71a4a-9621-4372-84d3-aad8be07f160
Name : Logical Disk Free Space in MBytes is low
Description : The disk C: on computer <FQDN> is running out of disk space.
    The value that exceeded the threshold is 6552 free Mbytes.
Severity : Warning
TimeRaised : 02.12.2015 10:04
TimeAdded : 02.12.2015 10:04
LastModified : 02.12.2015 10:04
StateLastModified : 02.12.2015 10:04

Critical Alert Details:

Id : cdb71a4a-9621-4372-84d3-aad8be07f160
Name : Logical Disk Free Space in MBytes is low
Description : The disk C: on computer <FQDN> is running out of disk space.
Severity : Error
TimeRaised : 02.12.2015 10:04
TimeAdded : 02.12.2015 10:04
LastModified : 02.12.2015 10:08
StateLastModified : 02.12.2015 10:08

As you can see: the alert ID is the same. The severity has been changed from Warning to Critical and the (State)LastModified timestamps have been updated.

Conclusion: it’s the same alert with a new severity.

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Monday, February 2, 2015

Remove duplicate Performance Entries

A couple of weeks ago, Microsoft released a new MP version for Windows Server Operating System. The version number was 6.0.7294.0 and it brought some fixes for Mount Point monitoring and unfortunately some bugs related Logical Disk discovery, monitoring and performance collection.

Since last Friday they released a fixed version (6.0.7296.0):
http://www.microsoft.com/en-us/download/details.aspx?id=9296

After importing the new version everything looks good but the multiple entries in the Performance Views remain.

Below you can find the SQL statements to get rid of them. Always keep in mind that manipulating the database directly is completely unsupported! Everything you do here is on your own risk! Try in lab before!

Let’s go…

Show all Logical Disk performance entries where the Display Name is not equal the Instance Name:

Use OperationsManager
select PS.PerformanceSourceInternalId, BME.BaseManagedEntityId, BME.DisplayName, PS.PerfmonInstanceName, PC.CounterName, PC.ObjectName, PS.TimeAdded, PS.LastModified, PDA.PerformanceSourceInternalId 
from PerformanceSource PS
left join PerformanceDataAllView PDA on PDA.PerformanceSourceInternalID = PS.PerformanceSourceInternalId
      join PerformanceCounter PC on PC.PerformanceCounterId = PS.PerformanceCounterId
      join BaseManagedEntity BME on BME.BaseManagedEntityId = PS.BaseManagedEntityId
      where ObjectName = 'LogicalDisk'
      and DisplayName like '%:%'
      and DisplayName <> PS.PerfmonInstanceName
      or ObjectName = 'LogicalDisk'
      and DisplayName like '\\?\Volume%'
      and DisplayName <> PS.PerfmonInstanceName

Attention: backup your Operational Database before you move on!

Delete all Logical Disk performance entries where the Display Name is not equal the Instance Name:

Use OperationsManager
delete from PerformanceSource where PerformanceSourceInternalId in
(
select PS.PerformanceSourceInternalId
from PerformanceSource PS
left join PerformanceDataAllView PDA on PDA.PerformanceSourceInternalID = PS.PerformanceSourceInternalId
      join PerformanceCounter PC on PC.PerformanceCounterId = PS.PerformanceCounterId
      join BaseManagedEntity BME on BME.BaseManagedEntityId = PS.BaseManagedEntityId
      where ObjectName = 'LogicalDisk'
      and DisplayName like '%:%'
      and DisplayName <> PS.PerfmonInstanceName
      or ObjectName = 'LogicalDisk'
      and DisplayName like '\\?\Volume%'
      and DisplayName <> PS.PerfmonInstanceName
)

After that, the duplicate entries in the performance view will disappear.

Good luck!

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Tuesday, January 27, 2015

AD Computers without Agent Dashboard

I created a PowerShell script which shows all computers in a defined Domain/OU structure that have no SCOM Agent installed in a PowerShell Grid Widget.

The script shows all computers and the Domain/OU that has been scanned:

It is mandatory to change the SearchBase string in the second line of the script.

Further, it is possible to exclude known computers without agents to avoid showing them in the widget.

This version is only able to search one Domain/OU but it is possible to create a dashboard with multiple widgets running for different Domains/OU.

The script can be downloaded from the TechNet Gallery:
https://gallery.technet.microsoft.com/PSGW-Computers-without-f4199ba7

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Monday, December 15, 2014

Create a Group containing all Computers hosting an Application

This sample is using SQL Server even if there is already a group (SQL Computers) available when importing the SQL MPs.

There is a link to the gallery if you’d like to download the sample MP at the bottom of this post.

Create a MP with a Group that contains all classes involved

This task is just in case that you’re not so familiar in how to find the proper class ID.

Create a new Group within a (new) MP:

clip_image002

Select all classes involved (here Windows Computers and SQL Engines):

clip_image004

The formula now looks like the following one and would show all Windows Computers and all SQL Engines what is not the target of this task:

clip_image006

Export MP and edit the MP (for instance using Notepad++).

Increase the MP Version

The next step is increase the version number to allow importing it again in your Management Group:

<Manifest>
<Identity>
<ID>Custom.Groups.Management.Pack</ID>
<Version>1.0.0.1</Version>
</Identity>

Optional: set default language

Move down to LanguagePacks.
Change isDefault to true for the language you’d like to use by default:

<LanguagePack ID="ENU" IsDefault="false">
should become
<LanguagePack ID="ENU" IsDefault="true">

Remove other languages if not needed.

Optional: cleanup the automatically created IDs

Search and replace the automatically generated IDs by something more readable, for instance:

Folder_2caa4b7e281c435b841a54dd143e8fdd
should become
Custom.Groups.Management.Pack.Folder

UINameSpace53f2e808dba448bab7f3f717cc8b2d4f
should become
Custom.Groups.Management.Pack.WindowsHostingSql

Change the Group Calculation to include all SQL Servers

To change the group calculation just add the green marked lines, copy and paste the yellow marked class from the red section to the green one and remove the red marked ones:

<DataSource ID="GroupPopulationDataSource" TypeID="SystemCenter!Microsoft.SystemCenter.GroupPopulator">
    <RuleId>$MPElement$</RuleId>
    <GroupInstanceId>$MPElement[Name="Custom.Groups.Management.Pack.WindowsHostingSql.Group"]$</GroupInstanceId>
    <MembershipRules>
        <MembershipRule>
            <MonitoringClass>$MPElement[Name="MicrosoftWindowsLibrary7585010!Microsoft.Windows.Computer"]$</MonitoringClass>
            <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>
            <Expression>
                <Contains>
                    <MonitoringClass>$MPElement[Name="MicrosoftSQLServerLibrary6510!Microsoft.SQLServer.DBEngine"]$</MonitoringClass>
                </Contains>
            </Expression>
        </MembershipRule>
        <MembershipRule>
            <MonitoringClass>$MPElement[Name="MicrosoftSQLServerLibrary6510!Microsoft.SQLServer.DBEngine"]$</MonitoringClass>
            <RelationshipClass>$MPElement[Name="MicrosoftSystemCenterInstanceGroupLibrary7585010!Microsoft.SystemCenter.InstanceGroupContainsEntities"]$</RelationshipClass>
        </MembershipRule>
    </MembershipRules>
</DataSource>

Import the MP in SCOM

Save the XML and import it into SCOM

Check the Group

Under Authoring, Groups, search for the group and right-click to show all members:

clip_image010

The view should contain all computers hosting SQL monitored by your SCOM.

Download

The sample MP from above can be found here: https://gallery.technet.microsoft.com/Sample-MP-for-Group-of-26dce52c

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Monday, December 8, 2014

Correlated Missing Event Detection

Since it is not possible to drop more than 2 images into a forum reply I use my blog to provide the screenshot for a question there.

The original thread can be found here.

Under Authoring, Monitor, create a new unit monitor. Choose Correlated Missing Event Detection:

clip_image002

Enter a proper name and description and choose your target (Windows Computer would be all):

clip_image004

Select the event log for the event that resets your monitor back to healthy (if you’ve chosen event reset above):

clip_image006

Enter the event ID and the source. I took the single occurring of event ID 2 as a reset as a sample:

clip_image008

Choose the event log where the first event is logged:

clip_image010

Enter the event ID for the first event you’re expecting:

clip_image012

Choose the event log for the second event:

clip_image014

Enter the event ID for the second event you’re expecting:

clip_image016

Choose the correlation mode, here B must follow A within 60sec:

clip_image018

Select the missing event as warning and in the other as healthy (could be timer reset either):

clip_image020

Configure the alert settings as you’d like to see the alert in the alert views:

clip_image022

Cheers,
Patrick

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Unable to copy new agent to this computer

Today I had an interesting one:

I had to update a lot of UNIX/Linux machines from 1.5.1-112 to 1.5.1-138 (shipped at the same time as SCOM 2012 R2 UR4). As expected a couple of machines did not update successfully. Unfortunately, a lot of machines had the status “Failed” – all but one with the Message “Unable to copy new agent to this computer” with the exit code “-1073479144”.

Before I wanted to discuss that situation with the UNIX team I wanted to try it again and during the next update wave just half of the machines ended up failed, the rest has been successful. So I tried again and again and after 5 iterations all machines (but one with another failure) have been updated without any other issue.

Conclusion: don’t give up when you see this error and try it again. Smile

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Tuesday, December 2, 2014

KMS MP for KMS running on WS2012

Unfortunately there is no KMS MP for WS2012. However, the existing MP for KMS on WS2012 works for KMS on WS2012 as well. And, of course, SCOM 2007 MPs work with SCOM 2012 (R2) either.

Just create a new string value "KeyManagementServiceVersion" with the value "dummy" (or anything else) under
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform

After that the MP will discover the KMS. Just give it time (24h), restart the agent or override the discovery interval temporarily.

The “old” MP can be downloaded here:
http://www.microsoft.com/en-us/download/details.aspx?id=12419

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Monday, October 27, 2014

Authorized Users Dashboard

It is always a pain to determine all users that have permissions in Operations Manager and the SCOM user role and AD group.

So I created a script that to show all that data in a PowerShell Grid Widget. The view at the end looks like the screenshot:

image

Of course you can change the sort order as expected by the role, group, user or account name.

There is no additional configuration necessary since the script takes the management server from the registry.

The script can be downloaded directly from the TechNet Gallery: https://gallery.technet.microsoft.com/PSGW-Authorized-Users-e566c5aa

You can easily install the AD PowerShell module if you run the Operations Console on a server OS by entering the following command in an elevated PowerShell:
Add-WindowsFeature RSAT-AD-PowerShell
For Windows 7:
http://www.microsoft.com/en-us/download/details.aspx?id=7887
For Windows 8:
http://www.microsoft.com/en-us/download/details.aspx?id=28972
For Windows 8.1:
http://www.microsoft.com/en-us/download/details.aspx?id=39296

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Monday, October 13, 2014

SQL Dashboards do not show Display Name

In the version 6.5.1.0 of the SQL Management Pack the dashboards have been changed and adopted to 2008 besides of 2012.

Unfortunately, in some SCOM environments (seems to be the ones that are upgraded from 2007) the DB display name is not shown in the Databases widget and the column is empty.

The problem is that in the dashboard MPs there is a value “$Object/PropertyCollection[Name=’DisplayName’]$” and that collection simply does not exist.

This can be tested by extracting the MP to XML, searching for the string “PropertyCollection[Name=’DisplayName’]$” and replacing it by “Property[Name=’DisplayName’]$”.

Please keep in mind that the MP/XML is still intellectual property of Microsoft and that the EULA apply!

The sample above is only to show the reason for the missing value.

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.
Read Full Post...

Thursday, August 14, 2014

Pending agent error during discovery

Yesterday I’ve seen an interesting issue at a customer: whenever they tried to deploy an agent using the discovery wizard they immediately after kicking off the discovery get an information, that the agent is already under pending management. However, there were no agents under Administration, Pending Management.

Weird, but using the PowerShell Get-SCOMPendingManagement showed exactly the machine supposed to be discovered.

Usually you’d fire a Get-SCOMPendingManagement | Deny-SCOMPendingManagement and discover the machine again to be sure that the discovery and push-deployment was ok. Unfortunately that brought up an error again.

So we had to approve it first using Get-SCOMPendingManagement | Approve-SCOMPendingManagement and delete the agent from Agent Managed before re-discovering it successfully this time.

Again, this is just a workaround. Until now I’ve haven’t seen that issue again to dive deeper into troubleshooting.

Not a big thing but tricky at all.

All information is provided "as is" without any warranty! Try in lab before. Handle with care in production.

Read Full Post...

Thursday, July 3, 2014

Different Resolution States in Consoles

After you’ve updated from SCOM 2007 to 2012 (or later) your console users might see different resolution states than you’ve configured see under Administration/Settings/Alerts.

That might be the case if you’ve used custom resolution states with IDs that are now used by the resolution states coming with the 2012 (or younger) version. Those resolution states are used in TFS WI sync scenarios to show the state of the related WI directly at the alert.

You can move to the settings and re-enter your display string for each resolution state. I recommend to take other IDs than the ones reserved for TFS (247, 248, 249, 250, 254) if that is possible in your environment.

Happy SCOM’ing,
Patrick

Read Full Post...